1 / 31

Principles of Information Security Unit 5- Intrusions

Principles of Information Security Unit 5- Intrusions. Sanjay Rawat Sanjay_r@vnrvjiet.in. Overview. Intrusions and Intrusion Detection/prevention Malicious Programs Firewalls Text Book: W. Stallings, “Cryptography and Network Security”, Part IV, Chapters 18-20. Intruders/Intrusions.

ataret
Download Presentation

Principles of Information Security Unit 5- Intrusions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Principles of Information SecurityUnit 5- Intrusions Sanjay Rawat Sanjay_r@vnrvjiet.in PIS -Unit5 Sanjay Rawat

  2. Overview • Intrusions and Intrusion Detection/prevention • Malicious Programs • Firewalls Text Book: W. Stallings, “Cryptography and Network Security”, Part IV, Chapters 18-20. PIS -Unit5 Sanjay Rawat

  3. Intruders/Intrusions • Actor with unauthorized access to a system • masquerader • misfeasor • clandestine user • Hostile, or at least unwanted, trespass by users or software. • Trespass by software -> malwares PIS -Unit5 Sanjay Rawat

  4. Intruders/Intrusions • DARPA IDS Evaluation Project 1998 attack categories1: • Probes • Denial of Service (DoS) • Remote to Local (R2L) • User to Root (U2R) 1. http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/docs/attackDB.html PIS -Unit5 Sanjay Rawat

  5. Historical Facts.. • May 1996, 10 major agencies, comprising 98% of Federal Budget were attacked with 64% of attack success rate • Feb 2000, DOS attacks against world’s largest commercial web sites including yahoo.com and amazon.com. • July 2001, Code Red virus sweeps across the whole world infecting 150,000 computers in just 14 hours. • Sept 2001, NIMDA virus expands itself to computers all across US, lasts for days and attacks over 80,000 computers PIS -Unit5 Sanjay Rawat

  6. Attack Statistics Curtsey: http://hackmageddon.com/category/security/cyber-attacks-statistics/ What Bruce Schneier said.. “Security is chain… problem lies elsewhere i.e. software…” PIS -Unit5 Sanjay Rawat

  7. Attack Statistics Symantec Security Report 2011 PIS -Unit5 Sanjay Rawat

  8. Attacker’s Picture Curtsey: Internet source PIS -Unit5 Sanjay Rawat

  9. General Attack Methodology • aim to gain access and/or increase privileges on a system • basic attack methodology • target acquisition and information gathering (reconnaissance) • initial access (e.g. exploiting some vulnerability) • privilege escalation (exploiting some vulnerability) • covering tracks • Goal is to then exercise access rights of owner PIS -Unit5 Sanjay Rawat

  10. Password cracking • one of the most common attacks • attacker knows a login (from email/web page etc) • then attempts to guess password for it • defaults, short passwords, common word searches • user info (variations on names, birthday, phone, common words/interests) • exhaustively searching all possible passwords • check by login or against stolen password file • success depends on password chosen by user • surveys show many users choose poorly PIS -Unit5 Sanjay Rawat

  11. Password ….. • another attack involves password capture • watching over shoulder as password is entered • using a trojan horse program to collect password e.g. keyloggers • monitoring an insecure network login (sniffers) • eg. telnet, FTP, web, email • extracting recorded info after successful login (web history/cache, last number dialedetc) • using valid login/password can impersonate user • users need to be educated to use suitable precautions/countermeasures PIS -Unit5 Sanjay Rawat

  12. Software Vulnerabilities • If password guessing fails/not possible, what to do? • Exploit software weakness. • Low-level bugs like buffer overflow, heap overflow, format string, return-to-libc etc. • Web specific attacks, like cross-site scripting (XSS), SQL injection, directory traversal etc. How to defend, then?? PIS -Unit5 Sanjay Rawat

  13. Intrusion Detection Systems What is intrusion detection? • Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. PIS -Unit5 Sanjay Rawat

  14. Some General characteristics • The ability to react in a timely fashion to prevent substantive damage – by automatic or manual intervention. • The ability to identify which is the precursor of more serious attacks. • The ability to identify a perpetrator. • The ability to discover new attack patterns. • The ability to produce evidence. PIS -Unit5 Sanjay Rawat

  15. Why IDS is Needed ?Is Firewall not enough? • To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system, • To detect attacks and other security violations that are not prevented by other security measures, • To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities), • To document the existing threat to an organization • To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors. IDS – another wall of protection PIS -Unit5 Sanjay Rawat

  16. Generic IDS Architecture From Wenke Lee et. el PIS -Unit5 Sanjay Rawat

  17. Type of IDS • Based on Data Collection • Network based : detects attacks by capturing and analyzing network packets • Host based: utilizes information sources of two types, operating system audit trails, and system logs • Advantages and Disadvantages PIS -Unit5 Sanjay Rawat

  18. NIDS • NIDS uses a passive interface to capture network packetsfor analyzing. • NIDS sensors placed around the globe can be configured to report back to a central site, enabling a small team of security experts to support a large enterprise. • Most network-based IDSs are OS-Independent • Provide better security against DOS attacks(?) PIS -Unit5 Sanjay Rawat

  19. NIDS disadvantages • Cannot scan protocols or content if network traffic is encrypted • Intrusion detection becomes more difficult on modern switched networks • Current network-based monitoring approaches cannot efficiently handle high-speed networks • Most of Network-based systems are based on predefined attack signatures--signatures that will always be a step behind the latest underground exploits • For HIDS, reverse the points for advantage/disadvantages PIS -Unit5 Sanjay Rawat

  20. Types of IDS conti.. • Based on Processing • Misuse detection (a.k.a. signature based) : analyzes system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack • Anomaly Detection: identifies abnormal unusual behavior (anomalies) on a host or network PIS -Unit5 Sanjay Rawat

  21. Current Trend in IDS • Future research trends seem to be converging towards a model that is hybrid of the anomaly and misuse detection models. • It is slowly acknowledged that neither of the models can detect all intrusion attempts on their own. PIS -Unit5 Sanjay Rawat

  22. IDS Management • Centralized PIS -Unit5 Sanjay Rawat

  23. IDS management • Partially Distributed PIS -Unit5 Sanjay Rawat

  24. IDS management • Fully Distributed PIS -Unit5 Sanjay Rawat

  25. Deploying NIDS PIS -Unit5 Sanjay Rawat

  26. Intrusion Prevention System • IPS = IDS + Firewall • An IPS offers the ability to identify an intrusion, relevance, impact and proper analysis of an event, and then pass the appropriate information and commands to the firewalls, switches and other network devices to mitigate the event's risk. • An IPS is the next security layer to be introduced in the system that combines the protection of firewalls with the monitoring ability of an IDS to protect our networks with the analysis necessary to make the proper decisions on the fly. PIS -Unit5 Sanjay Rawat

  27. Approaches to IDS • Anomaly Based Approaches: • Statistical Techniques: • threshold detection • count occurrences of specific event over time • if exceed reasonable value assume intrusion • alone is a crude & ineffective detector • profile based • characterize past behavior of users • detect significant deviations from this • profile usually multi-parameter PIS -Unit5 Sanjay Rawat

  28. Statistical…… • Audit Record Analysis • foundation of statistical approaches • analyze records to get metrics over time • counter, gauge, interval timer, resource use • use various tests on these to determine if current behavior is acceptable • mean & standard deviation, multivariate, markov process, time series, operational • key advantage is no prior knowledge used • TODO: Table 18.1 PIS -Unit5 Sanjay Rawat

  29. Approaches to IDS • Anomaly Based Approaches: • Rule Based Approaches: • analyze historical audit records to identify usage patterns & auto-generate rules for them • then observe current behavior & match against rules to see if conforms • Example: Decision Tree, Rough Sets, many DM/ML algo. PIS -Unit5 Sanjay Rawat

  30. Approaches to IDS • Misused Based Approaches (a.k.a Rule-based penetration identification) • Regular expressions matching • Expert systems • Rule based systems for attacks ONLY • Behavior learning (mainly for malwares) PIS -Unit5 Sanjay Rawat

  31. Honeypots • decoy systems to lure attackers • away from accessing critical systems • to collect information of their activities • to encourage attacker to stay on system so administrator can respond • are filled with fabricated information • instrumented to collect detailed information on attackers activities • single or multiple networked systems PIS -Unit5 Sanjay Rawat

More Related